Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

CHAPTER 11 Public Key Infrastructure > Registration - Pg. 160

160 Eleventh Hour Security : Exam SY0-201 Study Guide Another method of verifying the state of a certificate is called the Online Certificate Status Protocol (OCSP). OCSP was defined to help PKI certificate revocation get past the limitations of using CRL schemes. OCSP returns infor- mation relating only to certain certificates that have been revoked. With OCSP, there is no need for the large files used in a CRL to be transmitted. With OCSP, a query is sent to a CA regarding a particular certificate over trans- port protocols such as Hypertext Transfer Protocol (HTTP). Once the query is received and processed by the CA, an OCSP responder replies to the originator with the status of the certificate, as well as information regarding the response. An OCSP response consists of: The status of the certificate ("good," "revoked," or "unknown") The last update on the status of the certificate The next time the status will be updated The time that the response was sent back to the requestor One of the most glaring weaknesses of OCSP is that it can only return informa- tion on a single certificate, and it does not attempt to validate the certificate for the CA that issued it.